Cyber Threat Actor: APT30
| Actor Type | Location | Known Incidents |
Nation State
|
China
|
3 incidents |
|---|
Profile
APT30, also tracked as Naikon and Daggerfly, is a threat actor publicly linked to China and described in multiple sources as being tied to the Chinese military. Belgian authorities have attributed cyberespionage activities against their defense and interior ministries to this group, labeling it as a Chinese state‑backed advanced persistent threat. The actor’s known aliases appear in reporting that connects it to operations conducted on behalf of Chinese state interests, establishing a clear state nexus rather than a criminal motive. Its strategic objective, as explicitly stated in the attributions and incident summaries, is espionage aimed at compromising sovereignty, democratic processes, security infrastructure and societal integrity through the gathering of sensitive governmental information.
The actor’s targeting has been observed across both European and Asian‑Pacific regions, focusing on government ministries, premier offices and state‑owned technology entities. In July 2022, Belgian federal public services for interior and defence were compromised in a campaign that also involved APT27, APT31 and UNC 2814/GALLIUM/SOFTCELL, with the Belgian government asserting that the intrusion threatened national sovereignty and democratic stability. Earlier, in January 2020, Naikon sent a deceptive email purporting to come from the Indonesian Embassy to a member of the Western Australia Premier’s staff, delivering a Word document that contained the previously unseen Aria‑body malware. This intrusion was part of a broader operation that subsequently hit government agencies and state‑owned technology companies in Indonesia, the Philippines, Vietnam, Myanmar and Brunei, demonstrating a pattern of intelligence collection against multiple Asia‑Pacific governments.
The group’s typical tactics include initial access via spear‑phishing emails with malicious attachments, as evidenced by the Indonesian Embassy‑themed lure used against Australia. Once executed, the Aria‑body tool enables remote file manipulation, extensive data searches and the creation or deletion of files while employing evasion techniques to conceal its activity. Reporting notes that Naikon has repeatedly updated its cyberweapon, built an extensive offensive infrastructure and maintained a longstanding operation designed to penetrate numerous governments across Asia and the Pacific. These observed behaviors—phishing for initial compromise, deployment of a custom espionage‑focused malware, and repeated updates to tooling—constitute the core TTP themes directly supported by the provided source material.
